Closed cpholguera closed 1 month ago
I can work on this. Please assign this to me.
Hi @cpholguera, Can you explain a bit more about test-cases derived from this risk and what the term "hardcoded keys used at runtime" means here? We came up with two possible conclusions here, first could be the detection of API tokens and secrets hardcoded in the code and the second conclusion could be the detection of keys of the cryptographic algorithm. Thanks,
@ScreaMy7 This comes from the original requirement MASVS 3.1 (MSTG-CRYPTO-1): "The app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption."
The fact that "sensitive data is hardcoded in the app package" should be covered by https://github.com/OWASP/owasp-mastg/issues/2543 (which will include crypto keys, API keys and more).
This risk here is about the "use of Cryptographic Keys" specifically.
The tests should be pretty straightforward using as a base the existing MASTG v1 tests linked above. For example, the Android illustrates this case: https://mas.owasp.org/MASTG/tests/android/MASVS-CRYPTO/MASTG-TEST-0013/
So basically the work to be done here is:
Here are 2 existing risks including static and dynamic tests which you can use as a reference:
Guidelines: https://docs.google.com/document/d/1EMsVdfrDBAu0gmjWAUEs60q-fWaOmDB5oecY9d9pOlg/edit?usp=sharing
Description
Create a new weakness for "Hardcoded Cryptographic Keys in Use (MASVS-CRYPTO-2)" using the following information:
One thing is to include hardcoded keys in the code, another is to use them.
Update https://github.com/OWASP/owasp-mastg/blob/master/weaknesses/MASVS-CRYPTO/MASWE-0013.md including the following content:
To complete the sections follow the guidelines from Writing MASTG Risks & Tests. Use other MASWE items in
status: new
for reference. For example: MASWE-0027Use at least the following references:
When creating the corresponding tests, use the following areas to guide you:
MASTG v1 Refactoring:
If the risk has a MASVS v1 ID, you can use it to search for related tests in the MASTG and use them as input to define your risks and associated tests.